Open Bug 838835 Opened 8 years ago Updated 4 years ago

crash in js::analyze::ScriptAnalysis::analyzeLifetimes

Categories

(Core :: JavaScript Engine, defect)

18 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

Tracking Status
firefox18 --- affected
firefox19 - affected
firefox20 --- unaffected
firefox21 --- unaffected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

It's #9 top browser crasher in 18.0.2 and has spiked only in this version. 
I don't know why 19.0 is unaffected. Either it's fixed or the Beta population is not representative.

Signature 	UpdatePropertyType More Reports Search
UUID	b189f7a5-ec20-4bb6-ae8c-b539b2130206
Date Processed	2013-02-06 17:01:52
Uptime	11293
Last Crash	3.8 hours before submission
Install Age	8.1 hours since version was first installed.
Install Time	2013-02-06 08:54:52
Product	Firefox
Version	18.0.2
Build ID	20130201065344
Release Channel	release
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 20 model 1 stepping 0
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xb36
User Comments	Since todays update Firefox has been very unstable. I suggest you remove the up date until you can get it sorted. I woul hate to have to resort to Chrome. (No I'm not joking)
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9802, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.2.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor10.phx1.mozilla.com_7173:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9802
Total Virtual Memory	4294836224
Available Virtual Memory	3626303488
System Memory Use Percentage	26
Available Page File	9616961536
Available Physical Memory	4442566656

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	UpdatePropertyType 	js/src/jsinfer.cpp:3129
1 	mozjs.dll 	js::analyze::ScriptAnalysis::analyzeLifetimes 	js/src/jsanalyze.cpp:739
2 	mozjs.dll 	js::analyze::ScriptAnalysis::analyzeSSA 	js/src/jsanalyze.cpp:1207
3 	mozjs.dll 	js::analyze::ScriptAnalysis::analyzeTypes 	js/src/jsinfer.cpp:4406
4 	mozjs.dll 	JSScript::ensureRanInference 	js/src/jsinferinlines.h:1717
5 	mozjs.dll 	MakeJITScript 	js/src/methodjit/Compiler.cpp:689
6 	mozjs.dll 	js::mjit::CanMethodJIT 	js/src/methodjit/Compiler.cpp:1054
7 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:297
8 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:451
9 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1220
10 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1298
11 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:319
12 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:363
13 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:451
14 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1220
15 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1298
16 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:319
17 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:363
18 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:451
19 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1220
20 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1298
21 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:319
22 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:363
23 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:451
24 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1220
25 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1298
26 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:319
27 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:363
28 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:451
29 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1220
30 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1298
31 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1122
32 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2527
33 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:322
34 	mozjs.dll 	js::ExecuteKernel 	js/src/jsinterp.cpp:507
35 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:545
36 	mozjs.dll 	JS::Evaluate 	js/src/jsapi.cpp:5708
37 	xul.dll 	nsXPConnect::GetXPConnect 	js/xpconnect/src/nsXPConnect.cpp:141
38 		@0xe664a80 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=UpdatePropertyType
Like bug 806820, this is spread over a large range of installations, and as Scoobidiver notes, the only version we're seeing this in seems to be 18.0.2 so far:

SELECT version,COUNT(*) as crashes,COUNT(DISTINCT client_crash_date - install_age  * interval '1 second') as installations FROM reports WHERE product='Firefox' AND signature='UpdatePropertyType' AND utc_day_is(date_processed, '2013-02-06') GROUP BY version;
 version | crashes | installations 
---------+---------+---------------
 18.0.2  |     412 |           408
(1 row)

URLs are also mostly Facebook.

It's not a cause for alarm so far as it's *way* lower than the bug 806820 crashes have been.
For right now, we're not going to track on FF19 (seems unaffected).
There are a few crashes in 19.0b5 with a similar stack trace. See https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aanalyze%3A%3AScriptAnalysis%3A%3AextendVariable%28JSContext*%2C+js%3A%3Aanalyze%3A%3ALifetimeVariable%26%2C+unsigned+int%2C+unsigned+int%29
Crash Signature: [@ UpdatePropertyType] → [@ UpdatePropertyType] [@ js::analyze::ScriptAnalysis::extendVariable(JSContext*, js::analyze::LifetimeVariable&, unsigned int, unsigned int)]
Summary: crash in UpdatePropertyType → crash in js::analyze::ScriptAnalysis::analyzeLifetimes
It's #160 browser crasher in 19.0.
Keywords: topcrash
It appears to be highly correlated with AMD graphics in 19.0. Possibly the same driver bug we've been tracking elsewhere.
Assignee: general → nobody
Crash Signature: [@ UpdatePropertyType] [@ js::analyze::ScriptAnalysis::extendVariable(JSContext*, js::analyze::LifetimeVariable&, unsigned int, unsigned int)] → [@ UpdatePropertyType] [@ js::analyze::ScriptAnalysis::extendVariable(JSContext*, js::analyze::LifetimeVariable&, unsigned int, unsigned int)] [@ js::analyze::ScriptAnalysis::extendVariable]
You need to log in before you can comment on or make changes to this bug.